This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Microsoft App Aims to Delete the Password

Microsoft has officially launched its Authenticator app designed to simplify and secure user logins, raising questions about the future of password-free authentication.

Microsoft took another step toward eliminating passwords with the general availability release of its Authenticator application designed to swap traditional password authentication with push notifications.

Users typically fail at creating and managing their passwords. Despite the risks of using simple passwords, and using the same password for multiple accounts, users continue to favor convenience over security. Researchers discovered the most common password of 2016 was "123456."

The idea behind Authenticator is to simplify security by eliminating the need for passwords that require upper and lowercase letters, numbers, special characters, emojis, secret handshakes, etc., and moving the core of authentication from human memory to the device.

After downloading Microsoft Authenticator for iOS or Android devices, you add account information and just enter your username when accessing those websites. Instead of entering a password, you get a push notification. Tap "Approve," and you're logged in.

"We wanted to make it super easy for you to prove who you are," says Alex Simons, director of program management for Microsoft's identity division. The first step was getting rid of instances where you're used to typing in passwords.

"Passwords, overall, are a nuisance," he continues. "If you want to be secure, you have to manage all these different passwords for different services … but no one can do that. No one can make 20, 30, 40 different passwords in a secure way."

This isn't Microsoft's first foray into password elimination. Authenticator's implementation model, he says, is similar to that of Windows Hello, which lets users log into Windows 10 devices using biometric authentication.

Authenticator is initially geared towards consumers, says Simons, and there are about 800 million consumers actively using Microsoft accounts on a monthly basis. The company has plans for a business rollout, starting with a public preview later this fall, but anticipates faster adoption among consumers.

The authentication app works with online Microsoft accounts, as well as with Facebook-, Google-, and other user accounts.

Simplifying user access was one of the goals behind Authenticator. The other was to make it harder for criminals to break into devices.

Paul Cotter, senior security architect with West Monroe Partners, says Microsoft's update is arguably an improvement on "normal passwords" because users need to physically have their phones to access their accounts.

"The problem with a password is if someone finds your password, they can use it from any physical location to gain access to multiple online services," he explains. "With a phone authentication, a hacker would need the physical phone to be able to compromise."

However, he argues, Microsoft isn’t really "killing the password" with Authenticator.

"This is still a single-authentication method," Cotter explains. "There is still only one thing -- in this case, a phone rather than a password, that authenticates identity."

Multi-factor authentication is "the best answer to poor passwords,"he says, and is required to increase security because it diversifies authentication, making it tougher for thieves and cybercriminals to break into devices.

It's worth noting here that Microsoft views its App as two-factor authentication, but acknowledges there are multiple interpretations of what constitutes two-factor authentication. It views the phone as the first factor, and the PIN or fingerprint on the device as the second factor. Each sign-in requires both, the company explains.

Bad actors may need physical phone access to bypass Authenticator, but Cotter notes that phones are also easy to break into. People use simple passcodes (think "1234"), so moving authentication from person to device may only be shifting the risk.

Cotter also notes that biometric authentication could potentially run into problems with the Fifth Amendment. A few years back, courts determined a person could not be required to provide a password under the Fifth Amendment (the right to not self-incriminate). However, they can be compelled to provide a fingerprint that will unlock a device.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

@Dr.T: Yes. You can. Top InfoSec experts now advise that you actually do write down your passwords (randomly generated with entropy by a computer, of course) -- and then put that writing in a truly safe place (good place: your wallet, a locked safe; bad place: on a sticky note on your monitor, your desk, or in your top desk drawer).

I argued against this approach vehemently in a three-part series two years ago for InformationWeek: informationweek.com/software/operating-systems/bypassing-the-password-part-1-windows-10-scaremongering/a/d-id/1319969

Biometrics-only makes security weaker, the biometric data is still as easily compromised as the password data, and biometrics are much more limited (you only have so many fingers and eyes and whatnot). Plus the other issues addressed in this piece.

As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.

Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .